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INTRODUCTION 

In these times of rapidly changing views of quality control, International Standards Organization ISO 9000, 
growing international trade, and NAFTA, the role of the quality audit is becoming more important, more costly, and 
more applicable. Realizing the changes and growth in that industry, I believe it is appropriate to address this paper 
to the fastener industry, presenting the auditing processes of the financial community, as a potential model for a new 
tool to be evaluated. As envisioned this tool should be applicable to any commercial or industrial operation. 

Audit review is an essential process and/or spot check of both financial and industrial processes. 

It seems appropriate to step back and take a new look at the "system" used to plan a quality audit. It is my 
government experience (and industrial for many years) that the planning of an audit is considered in the general 
light of choosing units (areas, functions) to look at without always understanding the system level flow of 
documentation (internal control). This paper will concentrate in the area of INTERNAL CONTROL in developing 
the financial audit model for a quality audit in the fastener industry. 

The rapid growth of ISO 9000 implementation has also added a new dimension to the quality audit. For the 
first time in the industrial area independent third parties (non-contract to purchase) are being used to conduct our 
audits. The maintenance of the INTERNAL CONTROLS, that guide the system and provide the quality process 
control, is in the manufacturer’s control. 

In a world where competition seems to be the prime mover, cost and quality must be co-partners in achieving 
market share and maintaining profitability. To aid the fastener industry (and others as well) in meeting these 
challenges, it may be beneficial to look at another form of auditing and see if its principles or processes can be 
applied to the industrial quality audit. 

Although all of us have read financial reports from time to time and have seen the accompanying letter from 
the "independent” auditor, how many of us have looked at what was entailed in writing the somewhat stilted verses 
of the auditor. Is it akin to an IRS audit that some fear? Is it like the "quality audit" that industry uses? Is there a 
process within the financial audit that can be carried to the manufacturing setting? 

The purpose of this paper is to suggest that the answer to this last question is YES! There is a great deal to be 
learned in studying the well developed audit process used in the financial world. This paper will suggest that many 
of the financial auditing concepts can be applied to the "industrial quality audit”. 


THE MATHEMATICAL MODEL 

To begin, at first glance, a "Quality Audit" text and "Financial Audit" text may look very similar and in fact 
are in many ways. On a further examination, aside from legal and regulatory aspects, it is apparent that the 
methodology of the financial audit is much better defined. 

A financial audit is planned by using the following equation either quantitatively or qualitatively: 


INHERENT RISK X CONTROL RISK X DETECTION RISK = AUDIT RISK 


where 

INHERENT RISK 
CONTROL RISK 
AUDIT RISK 
DETECTION RISK 


RISK associated with the industry and customer. 

RISK that the internal controls set up to maintain a system will fail. 

RISK assumed by the auditor that they will reach a favorable conclusion in error. 
RISK that a selected test will not detect an error where an error exists. 
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Rearranging this equation in to a more relevant form yields: 

DETECTION RISK = AUDIT RISK / (CONTROL RISK X INHERENT RISK) 

Looking at this equation from a mathematical point of view it becomes apparent that if the INHERENT RISK 
is set at 100 percent (1) then the DETECTION RISK is simply the ratio of the AUDIT RISK to the CONTROL 
RISK. The DETECTION RISK (allowable to maintain the set AUDIT RISK) is lowered by increased CONTROL 
RISK. Simply stated this means that more SUBSTANTIVE (the process of obtaining real audit data) tests of the 
evidential matter must be done to maintain a lower DETECTION RISK. 

Going into an financial audit, the auditor knows, based on industry standards, legal considerations, and cost 
what level of AUDIT RISK is acceptable. This number is usually set around five percent. In other words the 
auditor accepts a five percent risk that they will give a clean acceptance when in fact there is a problem. 

The financial auditors then assess the INHERENT RISK and the CONTROL RISK. The DETECTION RISK, 
the chance that they will give a favorable opinion on an unfavorable condition, thus becomes the dependant 
variable. The actual amount of tests (SUBSTANTIVE) to be done on accounts or records to satisfy the auditors that 
proper conditions exist is set in this manner. The DETECTION RISK becomes, in essence, the determining value 
on which the depth of the real audit is conducted; i.e., if the detection risk allowed is high then the actual number of 
records that need to be examined will be low. Bear in mind that the more actual tests to be performed the higher the 
cost of the audit to all parties! 

The application of this mathematical model as envisioned in the quality world would be largely qualitative. 
Quality managers would assess the INHERENT RISK and AUDIT RISK while quality engineers would establish 
the CONTROL RISK and the technicians would perform the tests dictated by the DETECTION RISK. 

To further clarify this equation consider that you have a shipment of 1/2 - 13 X 4 Grade 8 fasteners on your 
dock. You are not familiar with the manufacturer and you have never audited the concern. Your INHERENT RISK 
would be 100 percent or IR = 1. Next assume that the you know nothing of how this company controls quality; 
assume that the CONTROL RISK is now 100 percent or CR = 1. Your equation now says that your DETECTION 
RISK is equal to your AUDIT RISK. If you want to be 95 percent certain that any attribute is correct you would 
simply apply standard statistical controls ie with a population of some number and 95 percent certainty for 
90 percent confidence choose X number of samples. Assume now that you do not know the vendor but you do 
know (through ISO 9000 registration!) that the vendor has excellent control (INHERENT RISK 100 percent, IR = 1; 
CONTROL RISK 10 percent, CR = 0.1). Your DETECTION RISK (allowable) now becomes ten times your audit 
RISK; on an audit basis you now need to test very few samples to assure your self of the desired quality. 


APPLYING THE FINANCIAL MODEL TO QUALITY 

A financial audit begins with an assessment of the INHERENT RISK. INHERENT RISK is broadly defined 
by the type of industry, the history of the entity, and the past relationship of the auditors with the client. For 
example; if the entity being audited has a small inventory, uncomplicated debt structure and has been a client of the 
auditor's for some years, it is reasonable to assume that the INHERENT RISK is low. If, however, the audit clients 
inventory is traditionally very large and distributed about the country on consignment or the customer is new or 
there is a complicated debt structure arrangement involving personal loans from officers etc., the auditors would 
probably increase the INHERENT RISK. This same process could be formally applied to a quality audit. Suppose 
you are buying heading dies long term from two different sources and wish to audit the sources. One of your 
sources is a supplier that is manufacturing the dies from D2 tool steel only; they machine the dies at their facilities 
and heat treated them in their own furnaces. The second supplier is a large distributor selling you a generic die 
purchased from multiple sources that in turn subcontract machining and heat treating. It is intuitively obvious that 
the INHERENT RISK is lower with the first supplier. (This does not mean that the small supplier is preferential, 
higher quality, or more or less costly! It simply means that there are more places for trouble at the second source - 
not that the trouble exists.) 

In the quality audit a "pre-award survey" and/or "post award survey" could be one of the vehicles for a formal 
assessment of INHERENT RISK. 

The second assessment is CONTROL RISK. Many people have little or no concept of the idea of INTERNAL 
CONTROLS in a financial sense. Most think of INTERNAL CONTROL, if at all, as making sure the cash in the 
cash drawer is correct or that a teller's window balances. Most people rarely consider why there are maybe three 
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copies of the "bill of lading" or why there are possibly six copies of a purchase order. These type of items, in the 
financial world, are a critical part of INTERNAL CONTROLS. In a "quality audit" the INTERNAL CONTROL is 
what, in many cases, is looked at first but rarely in a formal sense (ISO 9000 may be changing this). Again the 
concept that this paper would like to suggest most strongly is that a formal review and assessment of the entity’s 
INTERNAL CONTROLS at the system level should be made a continuous and documented part of every audit. In 
my opinion, without this fundamental process established and working, the overall quality control audit process is, 
in many cases, impaired. As customers, understanding the INTERNAL CONTROLS for quality is critical. If 
controls are found to be lacking, the vendor must be encouraged to change them, another vendor must be located, or 
sufficient resource must be expended to assure the goodness of purchases. If INTERNAL CONTROLS are found to 
be excellent then the scope of the audit (and the future frequency) that must be supported can be reduced 
commensurately. This will allow resources to be concentrated in areas where they will contribute most effectively 
to true quality and profits. 

A Financial auditors would, before beginning actual "auditing", study the INTERNAL CONTROLS of their 
clients. This would include a very high probability that the INTERNAL CONTROLS would be documented by 
flowcharting at the system level. Figure la is an example of a possible outcome of such a flowchart for a Sales 
Order and Inventory process, certainly applicable to a fastener manufacturer or distributor. At a glance you can see 
how, in the system, the "paper" flows. Suppose it was noted that all the SALES ORDERS did not go through the 
CREDIT department as shown in the modification, figure 1(b). Assume that high risk accounts were discussed 
every afternoon with the shipping department to catch and cancel poor credit customers. Immediately it is known 
why some sales will get to unapproved customers! The point here being that for an auditor just to plunge into 
Accounts Receivable Allowance for Bad Debt and report back that there were more bad debts than had been 
estimated begs the question of why this is happening. Conversely, without the above control knowledge the auditor 
could easily give a favorable opinion when in fact a real problem potentially exists. Without a thorough 
understanding of the INTERNAL CONTROLS for this area management would be lost as to the root cause of 
excessive bad debt. 

Contrast this above paragraph with figure 2(a). (This paper DOES NOT suggest that more paper work is 
needed, that there needs to be 3 copies of the inspection plan, or that all processes must be changed. The sole 
purpose in presenting these diagrams is to illustrate an idea!) Figure 2(a) depicts a fastener manufacturing scheme 
for special orders, at the system level. Consider auditing this process either internally or externally. It has been my 
experience that auditors would generally go into the inspection area and start going through filed reports of data 
packages. If in going through the reports several missed inspections were found, knowledge of the process could 
well lead to the root cause that is suggested by figure 2(b). It is also possible that internal rejections caused by 
failure to get special inspections to the production traveler in an efficient manner may have delayed critical 
deliveries or cause unwilling compromise. With out system knowledge (best provided by flowcharts) the corrective 
action imposed by an audit may not cure the problem. 

Another benefit to the flowchart would be the prior knowledge could cause an audit team to intensify their 
activity in this area that would confirm or deny that the vendor had indeed maintained good control. 

The conclusion drawn without the flow chart of INTERNAL CONTROLS might be far different than if you 
had the INTERNAL CONTROLS flowchart. From the flowchart it can be immediately seen that the Approved 
Inspection Report does not go to the production floor. (Maybe the shop relies on experienced workers to establish 
inspection criteria; maybe there is some other good control in place!) In any event, with prior knowledge, the audit 
team would be given the opportunity to make a more sound (and cost effective) decision about the actual audit. The 
conclusion of the team WHETHER OR NOT THEY FOUND DISCREPANCIES might well be to alter the 
INTERNAL CONTROL to allow the Approved Inspection Report to flow to the shop floor. 

One of the real values in this process is that weaknesses are relatively apparent and the "health" of the paper 
flow itself can be monitored. The financial world would call these test "analytical procedures or test of controls". 
Such "financial" test of control may well be too elaborate (or formal) for most quality audits but the concept should 
be readily applied through simple procedures. Armed with the knowledge that the INTERNAL CONTROLS 
system is in place and working (or not in place and/or not working) a financially prudent and technically sound risk 
decision can be made on the extent of the actual audit needed. This decision in the fastener industry might involve 
realizing that the receiving inspection of a supplier is in excellent condition, but additional time needs to be spent in 
the mechanical testing area for the wire that is supplied. Continued knowledge of a suppliers INTERNAL 
CONTROLS should lead to reduced cost of audits, continuous improvement by the supplier, and enhanced quality. 

The above process should also be applied to internal audits of our own facilities. In many cases it is possible 
for engineering and manufacturing as well as accounting to help each other by inviting the over laying of the 
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financial audit methods on manufacturing facilities. This should begin on a test basis and expand as the process 
defines itself and shows its value added benefits. 


PRACTICAL EXAMPLES 

Two examples are presented in closing as illustrations of qualitative application of the above principles. Both 
are actual experiences applying the above reasoning in assessing contractors ability to perform and estimating 
needed human resources. These examples suggest how the above discussed concepts could be applied in everyday 
quality audit situations. Both involve small Space Shuttle payloads being integrated into the Shuttle. Both are 
minor dollar considerations that allow considerable program (not safety) risk. 

The first of the small programs was being managed by a large aero space contractor - the INHERENT RISK 
was valued low in that this company was totally integrated into the business at hand, had successfully done similar 
programs, and had a good track record. The INHERENT RISK at the second contractor was rated as low but 
somewhat higher than the first being that the second contractor was a university. From a audit point of view (and 
cost) this assessment meant that little if any time was spent with the first contractor evaluating their ability to do the 
program. At the second contractor, time was spent discussing past programs and experiences of the University in 
handling such a contract. 

In the area of CONTROL RISK the first contractor had a KNOWN control system that was felt did not need 
(based on our past experience) to be extensively tested or reviewed except in special areas such as outside contracts. 
The audit discussions centered around verification that the control system was being applied. When satisfactory 
answers were obtained it was not felt necessary to delve deeper into the system as would routinely be done. The 
second contractor was reviewed much more closely in the control (due in part to likely deviations from industrial 
norms seen many times in the academic environment) area making certain that the level of control was satisfactory 
for our use. Again time (dollars) were saved using this 'structured thinking' approach to quality audit. 

The results of the above can be used in accomplishing the quality audits when they actually occur. A recom- 
mendation that very little SUBSTANTIVE testing need be done at the first contractor, based on a STRUCTURED 
approach during the initial assessment, can prudentially be made. The recommendation for the second contractor 
was a combination of tests pointed at TEST OF CONTROLS - does their INTERNAL CONTROL system really 
work as they say it does? Then the final SUBSTANTIVE test will be applied; definitely somewhat more than the 
first contractor but based on the TEST OF CONTROL (which is expected to be excellent) only moderate in scope 
and consequently more cost effective. 

Certainly the above is somewhat superficial and risk is certainly being added by suggesting that the actual 
audit be reduced. But in times of 'better faster cheaper’ this approach does lend logic and credibility to the decision 
to reduce the overall scope of the audit. 


CONCLUSION 

In conclusion this paper is suggesting that the quality audit community should study the financial audit model 
and adopt their concepts (on a trial basis). This effort should begin with documentation of the SYSTEM level 
quality control process. Once understood and in control the actual "volume" of the audit can be reduced based on 
the relationship of the auditors to the customer and the customers business (INHERENT RISK) and the efficiency of 
the customers internal controls (CONTROL RISK). 

To re-emphasize the two concepts that needs development most in the quality audit arena are: 

a formal review and assessment of an entity’s INTERNAL CONTROLS at the system level should be made a 
continuous and documented part of every audit. 

knowledge of a suppliers INTERNAL CONTROLS should lead to reduced cost of audits, continuous 
improvement by the supplier, and enhanced quality. 
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Sales Order 


Credit 


Accounts Receivable 



A. Obtain carrier signature on 
bill of lading 

B. Examine documents for 
proper review and approval 

(a) 



Figure 1 . — Internal control flowchart for sales orders and inventory. Reprinted by permission from Auditing Concepts & Application: A Risk Approach 2/e by 
Konrath, 1 993 by West Publishing Company. All rights reserved. 
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